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- The MAILING DATE of this communication appears on the cover sheet with the correspondence address ~ 
Period for Reply 

A SHORTENED STATUTORY PERIOD FOR REPLY IS SET TO EXPIRE 3 MONTH (S) OR THIRTY (30) DAYS 
WHICHEVER IS LONGER, FROM THE MAILING DATE OF THIS COMMUNICATION. 

- Extensions of time may be available under the provisions of 37 CFR 1.136(a). In no event, however, may a reply be timely filed 
after SIX (6) MONTHS from the mailing date of this communication. 

- If NO period for reply is specified above, the maximum statutory period will apply and will expire SIX (6) MONTHS from the mailing date of this communication 

- Failure to reply within the set or extended period for reply will, by statute, cause the application to become ABANDONED (35 U S C § 133) 
Any reply received by the Office later than three months after the mailing date of this communication, even if timely filed may reduce anv 
earned patent term adjustment. See 37 CFR 1.704(b). y 

Status 

1)S Responsive to communication(s) filed on 03 November 2003 . 
2a)Q This action is FINAL. 2b)E] This action is non-final. 

3) D Since this application is in condition for allowance except for formal matters, prosecution as to the merits is 

closed in accordance with the practice under Ex parte Quayle, 1 935 CD. 11, 453 O.G. 21 3. 

Disposition of Claims 

4) M Claim(s) 1-17 is/are pending in the application. 

4a) Of the above claim(s) is/are withdrawn from consideration. 

5) D Claim(s) is/are allowed. 

6) IEl Claim(s) M7 is/are rejected. 

7) D Claim(s) is/are objected to. 

8) D Claim(s) are subject to restriction and/or election requirement. 

Application Papers 

9) D The specification is objected to by the Examiner. 

10) D The drawing(s) filed on is/are: a)D accepted or b)D objected to by the Examiner. 

Applicant may not request that any objection to the drawing(s) be held in abeyance. See 37 CFR 1.85(a). 
Replacement drawing sheet(s) including the correction is required if the drawing(s) is objected to. See 37 CFR 1.121(d). 

11) D The oath or declaration is objected to by the Examiner. Note the attached Office Action or form PTO-152. 

Priority under 35 U.S.C. § 119 

12) D Acknowledgment is made of a claim for foreign priority under 35 U.S.C. § 1 19(a)-(d) or (f). 
a)D All b)D Some * c)D None of: 

1 .□ Certified copies of the priority documents have been received. 

2. Q Certified copies of the priority documents have been received in Application No. . 

3. Q Copies of the certified copies of the priority documents have been received in this National Stage 

application from the International Bureau (PCT Rule 17.2(a)). 
* See the attached detailed Office action for a list of the certified copies not received. 
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DETAILED ACTION 

Claims 1-17 are presented for examination. 

Priority 

This application claims the benefit of US Provisional Application Serial No. 
60/423,557, filed Nov. 04, 2002. 

Claim Objections 

Claim 10 is objected to because of the following informalities: in line 2 the 
claim reads "physical later" instead ^of "physical layer". Appropriate correction 
is required. 

Claim Rejections - 35 USC §101 

35 U.S.C. 101 reads as follows: 

Whoever invents or discovers any new and useful process, machine, manufacture, or 
composition of matter, or any new and useful improvement thereof, may obtain a patent 
therefor, subject to the conditions and requirements of this title. 

Claim 1 is rejected under 35 U.S.C. 101 because it is directed to a data 
structure ("A memory for storing a data structure for tracking network 
behavior, comprising: a connection table When nonfunctional descriptive 
material is recorded on some memory, it is not statutory since no requisite 
functionality is present to satisfy the practical application requirement. Merely 
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claiming nonfunctional descriptive material, i.e., abstract ideas, stored in a 
memory, does not make it statutory. 

Double Patenting 

The nonstatutory double patenting rejection is based on a judicially created 
doctrine grounded in public policy (a policy reflected in the statute) so as to 
prevent the unjustified or improper timewise extension of the "right to exclude" 
granted by a patent and to prevent possible harassment by multiple assignees. 
A nonstatutory obviousness-type double patenting rejection is appropriate 
where the conflicting claims are not identical, but at least one examined 
application claim is not patentably distinct from the reference claim(s) because 
the examined application claim is either anticipated by, or would have been 
obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 
USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 
(Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In 
re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 
F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 
163 USPQ 644 (CCPA 1969). 

A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 
1.321(d) may be used to overcome an actual or provisional rejection based on a 
nonstatutory double patenting ground provided the conflicting application or 
patent either is shown to be commonly owned with this application, or claims 



Application/Control Number: 1 0/70 1 , 1 5 5 Page 4 

Art Unit: 2153 

an invention made as a result of activities undertaken within the scope of a 
joint research agreement. 

Effective January 1, 1994, a registered attorney or agent of record may 
sign a terminal disclaimer. A terminal disclaimer signed by the assignee must 
fully comply with 37 CFR 3.73(b). 

Claims 1-17 are provisionally rejected on the ground of nonstatutory 
obviousness-type double patenting as being unpatentable over claims 1-22 of 
copending Application No. 10701154 and claims 1-36 of copending Application 
No. 10701356. Although the conflicting claims are not identical, they are not 
patentably distinct from each other a comparison between instant application 
independent claim 1 and the claims 1 and 14 (of the copending application 
number 10701154) and claims 1, 19, and 25 (of the copending application 
number 10701356) reveal the copending claims are simply species of the 
broader claim 1 of the instant application. Hence, claim 1 of the instant 
application is generic to the species of the invention covered by independent 
claims of the copending applications stated above. Thus, the broad generic 
invention is anticipated by the narrower species of the co-pending invention, 
thus without a terminal disclaimer, the species claims preclude issuance of the 
generic application. See In re Goodman, 1 1 F.3d 1046, 29 USPQ2d 2010 (Fed. 

Cir. 1993). 
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Instant Application 
10/701155 



Copending Application 
10/701154 



Copending Application 
10/701356 



Claim 1 : A memory device 
storing a data structure for 
tracking network behavior, 
comprising: 



a connection table that 
maps each node of a 
network to a record object 
that stores information 
about traffic to or from the 
node and between that node 
and others nodes in the 
network. 



Claims 1 : A system , 
comprising: 

a plurality of collector 
devices that are 



disposed to collect 
statistical information 
on packets that are 
sent between nodes 
on a network ; 



an aggregator that 
receives network data 
from the plurality of 
collector devices, 

and which produces 
a connection table 
that maps each node 
on the network to a 
record that stores 
information about 
traffic to or from the 
node. 



Claim 14, A method, 
comprises: providing a 
plurality of collector 
devices in a network to 
collect statistical 
information on packets that 
are sent between nodes on 
a network; and sending 
statistical information from 
the collector devices to an 
aggregator, the aggregator 

producing a connection 
table that maps each 



Claims 1 : A device 
comprising: 



a processor; 



a memory storing a 
connection table that 
maps each node of a 
network to a host 
object, the connection 
table stores 
information about 
traffic to or from the 
node. 



Claim 19, A computer 
program product 
residing on a computer 
readable medium for 
use in detecting network 
intrusions comprises 
instructions for causing 
a processor to: 

store a connection 
table that maps each 
node of a network to a 
host object, the 
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Claim association: 


node on the network to a 
record that stores 
information about traffic 
to or from the node 


connection table 
stores information 
about traffic to or from 
the node 


1 (independent claim) 


1 ^14 ( Jnrlpn Plmc \ 
1 Oo X ^ ^ XI1U.CJJ. V-slIIlo.J 


1, 19 8& 25 ( Ind. Clms.) 


2 


8 and 17 


5 


3 


9 and 18 


6 


4 


10 and 19 


7 


5 


1 1 and 20 


8 


6 


12 and 21 


9 and 30 


7 and 8 


13 and 22 


10 and 31 



This is a provisional obviousness-type double patenting rejection .because 
the conflicting claims have not in fact been patented. 



Claim Rejections - 35 USC §102 



The following is a quotation of the appropriate paragraphs of 35 
U.S.C. 102 that form the basis for the rejections under this section made in 
• this Office action: 

A person shall be entitled to a patent unless - 

(e) the invention was described in a patent granted on an application for patent by another 
filed in the United States before the invention thereof by the applicant for patent, or on an 
international application by another who has fulfilled the requirements of paragraphs (1), 
(2), and (4) of section 371(c) of this title before the invention thereof by the applicant for 
patent. 

The changes made to 35 U.S.C. 102(e) by the American Inventors 
Protection Act of 1999 (AIPA) and the Intellectual Property and High Technology 
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Technical Amendments Act of 2002 do not apply when the reference is a U.S. 
patent resulting directly or indirectly from an international application filed 
before November 29, 2000. Therefore, the prior art date of the reference is 
determined under 35 U.S.C. 102(e) prior to the amendment by the AIPA (pre- 
AIPA 35 U.S.C. 102(e)). 

Claims 1-9 and 11-17 are rejected under 35 U.S.C. 102(e) as being anticipated 
by Tarns et al U.S. Publication Number (20030069952), hereinafter * Tarns". 

4 

As per claim 1, Tarns (20030069952) teaches a memory device (fig. 2, 162) 
storing a data structure for tracking network behavior fl[ 0079-008 1 and 
TJ0198), comprising: 

a connection table (fig, 2, data table and Table 2, page 1 1) that maps 
each node of a network to a record object that stores information about traffic 
to or from the node and between that node and others nodes in the network (| 
0157-0164 and f0210. See TABLE 2, page 11). 

As per claims 2 and 3, Tarns teaches wherein the connection table includes a 
plurality of records that are indexed by source and destination address (See 
TABLE 2, page 11). 



As per claim 4, Tarns teaches the device of claim 1 wherein the connection 
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table includes a plurality of records that are indexed by time (1f0198 and 
1|020 1-0206; see steps in fig. 8). 

As per claim 5, Tarns teaches the device of claim 1 wherein the connection 
table includes a plurality of records that are indexed by source address, 
destination address and time (See TABLE 2, page 1 1 and U 0198 and % 0201- 
0206). 

As per claim 6, Tarns teaches the device of claim 1 wherein the connection 
table is a plurality of connection sub-tables each sub-table having data 
pertaining to network traffic over different time scales (1J0198 and 1J0201-0208; 
see the time scale data structure (709,711,713 and 715 in fig. 7). 

As per claim 7, Tarns teaches the device of claim 1 wherein the connection sub- 
tables include a time-slice connection table that operates on a small unit of 
time and at least one other sub-table that operates on a larger unit of time 
than the time slice sub-table. (1|0198 and 1(0201-0208; see the time scale data 
structure (709,711,713 and 715 in fig. 7). 

As per claim 8, Tarns teaches the device of claim 7 wherein the at one sub-table 
holds records received from all collectors over the time scale of the table (1f0198 
and H0212). 
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As per claim 9, Tams teaches the device of claim 5 wherein the addresses 
indexing the connection table are IP addresses (See TABLE 2, page 1 1). 

As per claim 1 1 , Tams teaches the device of claim 1 wherein the host record of 
a first host also maps to a second host which communicates with the first host 
to a "host pair record" that has information about all the traffic from between 
the first and second hosts (TJ0201 and 1J0209-0210). 

As per claim 12, Tams teaches the device of claim 1 wherein connection data 
structure enables a consuming device to obtain summary information about 
one host and about the traffic between any pair of hosts, in either direction 
(HO 118) 

As per claim 13, Tams teaches the device of claim 1 wherein a record stores a 
measure of the number of bytes, packets, and connections that occurred 
between hosts during a given time-period 0157-0164 and f0210. See 
TABLE 2, page 11). 

As per claim 14, Tams teaches wherein data in the record is organized by well 
known transport protocols and well-known application-level protocols fl[ 0151- 
0157 and 1(0161-168. See TABLE 2 and TABLE 4A-4B in page 11). 
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As per claim 15, Tarns teaches the device of claim 1 wherein host records have 
no specific memory limit (1(0202-0206). 

As per claim 16, Tarns teaches the device of claim 1 wherein for application- 
level protocols and for every pair of hosts, the connection table stores statistics 
for traffic between the hosts (H 0151-0157 and H0161-168. See TABLE 2 and 
TABLE 4A and 4C in page 11). 

As per claim 17, Tarns teaches the device of claim 16 wherein the connection 
table stores protocol-specific records as (protocol, count) key-value pairs (^ 
0151-0157 and 10161-168. See TABLE 2 and TABLE 4A-4B in page 11). 

Claim Rejections - 35 USC §103 

The following is a quotation of 35 U.S. C. 103(a) which forms the basis for 
all obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or 
described as set forth in section 102 of this title, if the differences between the subject 
matter sought to be patented and the prior art are such that the subject matter as a whole 
would have been obvious at the time the invention was made to a person having ordinary 
skill in the art to which said subject matter pertains. Patentability shall not be negatived by 
the manner in which the invention was made. 
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Claim 10 is rejected under 35 U.S.C. 103(a) as being unpatentable over Tarns 
et al U.S. Publication Number (20030069952), hereinafter * Tarns" in view of 
Maufer et al U.S. Patent Number (7120930), hereinafter " Maufer". 

As per claim 10, although Tarns shows substantial. features of the claimed 
invention including a table with plurality of records, he does not explicitly show 
a physical [layer] address to IP address map that is used to determine Host ID. 

Nonetheless, this feature is well known in the art and would have been an 
obvious modification of the system disclosed by Tarns, as evidenced by Maufer 
U.S. Patent Number (7120930). 

In analogous art, Maufer whose invention is about a Method and apparatus for 
enhanced security for communication over a network including a mapping 
table accessible by a gateway computer used to form associations between a 
local address for the client and a destination address for a peer and a Security 
Parameters Index associated with IPSec-protected traffic from the peer 
(abstract), discloses a physical [layer] address to IP address map that is used to 
determine Host ID (col. 16, line 51-65 and table 300, fig. 5A. See also col. 5, 
lines 36-60). 

Giving the teaching of Maufer, a person of ordinary skill in the art would have 
readily recognized the advantage of modifying Tarns by employing the enhanced 
network security system of Maufer for particularly identifying traffic flowing 
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from a remote address to the local address using physical layer (MAC) address 
to IP address mapping in order to verify hosts belonging to the private network 
from unknown intruders of the public network. In this way fake packets 
belonging to unknown sources are recognized and discarded. 

Conclusion 

The prior made of record and not relied upon is considered pertinent to 
applicant's disclosure. 

Any inquiry concerning this communication or earlier communications 
from the examiner should be directed to Yasin Barqadle whose telephone 
number is 571-272-3947. The examiner can normally be reached on 9:00 AM 
to 5:30 PM. 

If attempts to reach the examiner by telephone are unsuccessful, the 
examiner's supervisor, Glenn Burgess can be reached on 571-272-3949. The 
fax phone numbers for the organization where this application or proceeding is 
assigned are 703-872-9306 for regular communications and 703-746-7238 for 
After Final communications. 

Any inquiry of a general nature or relating to the status of this 
application or proceeding should be directed to the receptionist whose 
telephone number is 703-305-3900. 
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Information regarding the status of an application may be obtained form 
the Patent Application Information Retrieval (PAIR) system. Status information 
for published applications may be obtained from either private PAIR or public 
PAIR system. Status information for unpublished applications is available 
through private PAIR only. For more information about the PAIR system, see 
http://pair-direct.uspto.gov. Should you have questions on access to the 
Private PAIR system, contact the Electronic Business Center (EBC) at 866-217- 
9197 (toll-free). 
YB 

Barqadle Yasin 
Art/Hnit 2153 



